Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add audit backend basic implementation #44

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add audit backend basic implementation #44

wants to merge 4 commits into from

Conversation

bn0ir
Copy link
Contributor

@bn0ir bn0ir commented Apr 15, 2019

  • Add audit backend basic implementation;
  • Add redis audit backend;
  • Update README.

For audit purposes sometimes you want to have machine readable audit log.

Implement some basic functions for IDS/IPS system connection.

By default audit log disabled.

@kenshinx
Copy link
Owner

Thanks for pr @bn0ir .

I have a doubt, why don't use the current file backend log system as an audit log directly instead of developing an alternative audit log system?

  1. If you need query log that output in machine-readable formatting, maybe update the log handler and support custom log formation is a better choice.

  2. If you just want storage logs into Redis, maybe consider redirect logs from file to Redis via 3rd tools such as logstash, flume is optionable.

@bn0ir
Copy link
Contributor Author

bn0ir commented Apr 29, 2019

We use godns as dns for sandboxed untrusted software in current project.

I try to implement access logs on top of existing log system, but have some problems:

  • Current log system works great as server error/trace log and very useful for get information about what's going on with the system, but in case of access log it's difficult to separate access logs part and error logs part;
  • The log system has flat log filter (DEBUG, INFO, WARN, ERROR), if we add 1 more level (AUDIT) there comes a problem with situations when you want AUDIT logs, but error level stay as WARN;
  • All logs (ERROR, WARN, INFO, DEBUG) has custom format and custom vars available at time of write the log, it's difficult to implement custom_log_format option application config for all cases;

For this situation to resolve I use nginx as example of similar application. It has two types of logs: error and access. That's why I try to implement audit as custom logger.

Logstash and flume can perfectly fit for my situation, but they are too heavy (as systems) to keep logs of only one small application, plus rules to parse logs in non-regular format can be more sophisticate than addition of access log writer directly in backend.

There is additional branch with postgresql audit backend, we using this one for our project now:
https://github.com/bn0ir/godns/tree/audit-backend-postgresql

Don't know, will audit log be useful for godns users in general, that's why it's ok if you reject this pull request.

If you have any ideas how to implement it right (in more useful for community way) — I can rewrite it.

Thanks!

@kenshinx
Copy link
Owner

kenshinx commented May 7, 2019

Thanks for your detailed explanation. I believed the audit log is reasonable and valuable in your case. However, I hope the implementation of Redis backed or PG backed can be more elegant and flexible. Besides, I am not sure the audit log is whether a common requirement for the community. I will leave the PR in open status before we have better ideas. How do you think?

@bn0ir
Copy link
Contributor Author

bn0ir commented May 7, 2019

It's a good idea!
I will add postgresql branch to this pull request, to have all linked code in one place, this week.
Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bn0ir @kenshinx